Mitigating Cyber Threats

Managed Security Services for Small to Medium Businesses

Xxx company White Paper Published November 2011-11-01

Address Phone, email, website

Managed Security Services For Small to Medium Businesses

Authors Tharinda Lasika

Company Name Date (Year and Month) Program if any Copyrights

Warranty and Disclaimer

Executive Summary

Managing threats and maintaining the security and integrity of an infrastructure is becoming increasingly difficult for most organizations. With the rapid development of Internet Technologies and Emerging Architectures make this more and more difficult. During the race for the bleeding edge technologies and rapid versioning, many organizations experience a variety of difficulties. The technological isolation (obsolete technologies) and delay of migration caused by the expenses or due to the financial status increase problems for economic growth. Small and Medium sized businesses suffer from the issues more and more rather than enterprise level businesses. The better the infrastructure, the greater the impact of a company s technology investments on growth. Small and Mid-Sized businesses play an important character of a nation s economic development, especially developing countries and recent years it is the same for developed nations. The average growth rate is getting increasingly higher for the Small and Mid-Sized businesses. The most interesting fact is that these businesses highly depend on Internet Technologies such as Internet Marketing and low cost Cyber Infrastructure. No businesses can dwell without a coherent strategy and the existence and survival will be determined by new parameters like adequate technology and infrastructure which will assist companies for a smooth and flexible execution and growth. With the development of these areas, the necessity of skilled people and the monitory value of high quality workers which will engage in deploying, managing and maintaining the new/existing business infrastructure added more pressure to the existing strategy. The lack of quality workers due to their higher demand and salary requirements the Small and Mid-Sized businesses were opened to the cyber space with a severe problem related to The Information Security. Today, a number of companies have adopted many recent technologies including Virtualization, Cloud and Managed Service Providers (MSP) which will increase Revenues rapidly due to the cost. The lack of skilled people, shortage of knowledge and capital, managerial practises, inadequate strategies for adapting technology vastly increased the security risks. The emergence of Managed Security Provider Services has successfully addressed the issue and recently many small and mid size business owners have agreed that this will heal the headaches they have experienced throughout these years.

Small and Mid-sized Businesses Strengths

Small and Mid-sized businesses are quite efficient and effective when compared to Large Organizations when considering several areas. y y y y y Build a strong Niche More Control Flexible and Adapt changes faster Better communications Better collaboration

Each of these areas has significantly improved with Information and Communication Technology. To maintain the integrity of the areas a more flexible and smooth infrastructure was required. Managed Service Providers have become the dominant player to ensure the requirements. Today, most of the small and mid-sized businesses rely on the MSPs.

Information Security
Securing information is becoming more and more difficult with the emergence of numerous bleeding edge technologies and versioning. Recent technologies such as Virtualization and Cloud Computing will improve many businesses and reduce a large quantity of resource requirements thus enabling the adaptation by small and mid-sized business units. The knowledge does not come for free. The IT Professionals, Systems Engineers, Communication Engineers, Network Engineers and Security Engineers have to upgrade their knowledge time to time and this will increase the value of the individual which makes a serious Shortage of Skilled people for the small and mid-sized organizations. Rather than hiring individuals with necessary knowledge, they have to select a professional which has partial education, knowledge and experience in all the fields. Unfortunately, many IT Professionals and even Systems Administrators do not have proper knowledge to secure the information and maintain the integrity while ensuring the confidentiality.

Recent Technologies and the Role of Information Security

Most of the Mid-sized businesses do not deploy a sophisticated infrastructure for ICT. They rely on Services Providers and External Hosts. This will reduce the cost but it does not address the security requirements. Companies like VMWare (a host only), Amazon, Microsoft, Citrix have introduced versatile platforms like v-Sphere, Amazon Cloud and VPC (Virtual Private Cloud), Microsoft Small Business Server (SBS) and Application, RDS, and Server Virtualization such as Hyper-V, Microsoft VDI, Thin-Clients, Application Virtualization, Azure, Citrix Xen series, VDIs and many more application based services (CRM platforms, Management Platforms, Office 365). Many Open Source systems have been developed in parallel. Each platform has its pros and cons. And most importantly, a specialized work force is required to deploy and maintain these technologies. Security systems such as Cisco firewalls, VPN services, Microsoft TMG has to be in place to ensure unauthorized access. Solutions such as Microsoft SBS are becoming increasingly popular but these platforms come as a bundle which can be a Single Point of Failure. Small businesses highly depend on these platforms and they must be able to protect these infrastructures from intruders thus maintaining the CIA (Confidentiality, Integrity and Availability). To fulfil the requirement, a work force not only has extensive skills and capacity but also that have exposed to the latest technologies must be available. Platforms and Services from a Security Perspective Microsoft Windows Active directory infrastructure Availability and Integrity is vitally important. If the Active Directory gets compromised, the whole infrastructure operation will fail. Mail Servers (Exchange Services) Confidentiality and Availability is critically important. Mail servers have to be protected from Open Relays, Unauthorized Mail Flow, SSL/LTS issues, Viruses, Spams, Scams, Impersonations, DDOS, Pay-per-click scams and various other threats. Web Servers (IIS, Apache, Cloud Services) Web servers are the systems which experience the highest number of security threats. Among those, Phishing, DDOS, Domain Hijacking, Code Injections, Database Injections, impersonation, Session Hijacking, SSL/TLS issues, Farming malware, Cross site scripting security vulnerabilities become major killing force. Databases (SQL Server, MYSQL etc) Vulnerable to Database Injections, Integrity Violations, Corruption, DoS, Information Disclosure, Stage Corruptions and many others. Hosted Software Platforms (Office 365 etc) Security service is provided with the platform but needs to be optimized / customized in order to take the best out of it. The Cloud (Amazon, Azure etc) Microsoft Azure has a similar architecture to regular Microsoft architecture. Amazon infrastructure provides the capability of hosting Open Source as well as Microsoft servers. In addition to the security controls, remote access to these systems must be

secured. When considering the cloud, not only the hosted systems but also the Host (which is the cloud) has to be protected using the provided mechanisms. Virtualization Virtualization era has made the life easier for many organizations. Especially when considering the hardware requirements which can be expensive. Special knowledge and experience required to manage and maintain such systems. A number of Virtualization services and platforms emerged during recent years. Technology specialists who have expertise in these areas are less in numbers and have higher expectation of salaries which will not be a good option for small scale and medium sized businesses. When considering these Technologies, Risk factor, Skills, Human factor, CIA triad, Cost and Compliance Managed Security Services becomes an elegant option.

Why Managed Security Services?

MSS are Network and Server Security Services that have been outsourced to a service provider. Managed Service Providers under the category of Managed Security Service Providers (MSSP) offer these services and is often a good solution for transferring information security responsibility and operations. There are still some risks involved when contracting with an outsourced service but it slows to share the responsibilities and risk management (divide and conquer approach). More and more organizations turning to MSSPs for many reasons, especially the services they offer. These specialities include: y Network Security and Protection, Network Boundary Protection (TMGs, Firewalls, VPN, IDS/IPS, Filters and Corporate Protection suites). Support for entire and geographically seperate networks. Consultations On-site. Security Monitoring Monitoring 24x7 and ensuring the network and system Availability (protection from DoS and DDoS, Botnets and other attacks), Intrusion Prevention and Detection, monitoring Bandwidth issues, Anomalies and many more. Network Penetration Testing and Vulnerability Assessment plans and strategic solutions. Network and System Audits. Risk Assessment and Recovery Planning support. Corporate Antivirus Management. Emergency Response Procedures, Teams and Forensics Incident Response, Management, Analyzing, Reporting and Recovering. Content Filtering Services (data) and Archival Services including Remote corporate Backup and Archival Solutions. Capacity Planning and Upgrading. Standardised and Support for Compliance Demands due to Regulations of governments such as: o ITIL Best Practises o ISO Standards ISO 2700X standards for Information Security, ISO 31000 o HIPAA / HITECH act o FFIEC o PCI DSS

y y

y y y y y y y y

Benefits
y Cost Cost for MSSPs are lower than employing on-site work force. With infrastructures and customers spread around the globe, MSSPs are able to reduce costs by spreading the cost among numerous clients. Skills MSSPs hire qualified professionals and have a better insight into emerging threats and mitigation procedure due to the fact that the spreading of services and customer base. Compliance Addressing and absorbing regulations will be handled by MSSPs as required. MSSPs are often well connected to law enforcement agencies around the world. Work Force (Security Awareness) Recruiting, Training and Re-training the security staff will cost more for organizations. With MSSPs, clients never face Skill Shortage Issues due to the fact that they have professionals with knowledge in latest technologies. This will ensure the security budget a constant value and avoid spikes. Availability and Performance 24x7x365 services and regular optimizations. Consolidation Managing and Monitoring various devices and technologies, security controls can be overwhelming for new businesses and who recently adapted new infrastructures. By using services from an MSSP, the potential risks due to obsolete and unmanaged systems, un-patched and vulnerable systems can be mitigated due to the fact that service providers continuously Monitor and Assess their infrastructure. MSSPs offer Hardware, System and Software update services. Facilities Managed SOCs (Security Operations Control Centres). Accountability and Auditability

y y y

y y

y y

Risks with MSS Relationships

There can be risks involved with contracting MSSPs if it has not properly and strategically managed. Risks involve with the process including: y Trust Sensitive information and Security infrastructure which will be accessed by and to made visible to the MSSPs can be a greater risk if the services provider is not ensuring protection from information leakage, especially when MSSs has Multiple Tires and Subcontractors and a workforce around the globe. A proper Service Level Agreements (SLAs) must be in place before disclosing the information and/or assets. Shared Infrastructure Shared Networks, Hardware and other assets, servicing multiple clients will be a potential risk. MSSPs must ensure Service and Data Isolation for clients. Relationship A proper relationship with the MSSP should be maintained. Responsibility, Ownership and Collaboration - Information Security has to be a collaborative effort. If the client and employees do not have security awareness to support the MSSPs processes, there will be issues. Even though the MSSs manage the security, ownership and its responsibilities with proper MSS utilization must exist. A Proper Initiation, Maintain and Termination procedures must exist with the contract to mitigate any conflicts including security risks. This requires a Proper Evaluation Procedure. Hidden Costs There may be hidden costs exist behind the agreed services. The services, migrations and upgrades must be analyzed prior to the contract.

y y y

y y

Evaluating a MSSP

A properly detailed proposal is required prior to evaluate the service provider. This proposal from MSSPs must address all the requirements and provide these details including: y y y y y y y y Reputation A MSSP must have proper reputation and it has to be visible to public. Clients and Referrals A list of contact of current clients have to be available to new clients. nowledge and Experience Proven quality and proficiency of the professionals have to be included. Financial Status A MSSP has to be financially strong in order to survive on a disaster situation. Capabilities The MSSP has to address each technological requirement and has to agree to provide them timely and with confidence. Strategy A clear operation and support strategy and incident management. Trusted Third-party (tired) Contractors If MSSPs maintain several tires and third party contactor, there has to be a procedure to perform checks on their background as well. QoS Architecture of the MSSP, Quality of Professionals, Assets, Hardware, Software, Availability, Scalability and Clear view of Layers (services), Quality of Auditing, Reporting and Privacy have to be evaluated. Upgrades and Migrations MSSPs have to have packages which will suite customers according to their requirements as well as according to laws and regulations. Disaster Recovery Strategy Clear Disaster Recovery Procedures, Tools, Assets, Workforce.

y y

SLA (Service Level Agreement)

A service-level agreement (SLA) is a contract between a network service provider and a customer that specifies, usually in measurable terms, what services the network service provider will furnish. Many Internet service providers (ISP)s provide their customers with an SLA. More recently, IS departments in major enterprises have adopted the idea.
[TECHTARGET 01]

Service Level Agreement (SLA) (ITILv3): An Agreement between an IT Service Provider and a Customer. The SLA describes the IT Service, documents Service Level Targets, and specifies the responsibilities of the IT Service Provider and the Customer. A single SLA may cover multiple IT Services or multiple Customers. [ITIL v2, v3] Service Level Agreement (SLA) (ITILv2): A formal, negotiated document that defines (or attempts to define) in quantitative (and perhaps qualitative) terms the service being offered to a Customer. Confusion must be avoided over whether the quantitative definitions constitute thresholds for an

acceptable service, targets to which the supplier should aspire or expectations that the supplier would strive to exceed. Any metrics included in a Service Level Agreement (SLA) should be capable of being measured on a regular basis and the SLA should record by whom. Typically it will cover: service hours, service availability. Customer support levels, throughputs and responsiveness, restrictions, functionality and the service levels to be provided in a contingency. It may also include information on security, charges and terminology. Apart from regular periodic reviews, SLAs should be renegotiated whenever a business service is subject to a change of requirement or there is an inability to deliver to requirement. [ITIL v2, v3]

SLA must be carefully examined before the contract. It must cover each and every aspect of the service which will be provided by MSSPs.

Why MSS is a Perfect Solution for Small and Mid-sized Businesses

y y y y y y y y y y y y y

Extensive usage of Cyber Resources and Integration of IT Capability of reaching Higher Performance and QoS expectations Sustainability Regular Unmanaged Security Threats Extensive Financial Benefits Flexibility to Address and Adapt Marketing Changes Address Scalability requirements with readily available assets and technologies Readily Available Solutions and Packages No additional Time Consumption and Effort Tend to use Outsourcing regularly No additional crew or training cost 24x7 Operations Collaborative effort

Managed Security Services are becoming a one of the best options to manage, maintain and optimize Information Security. For many large organizations this can be an option but for small and medium sized businesses MSS have become a main component. With proper initiation and relationship management (lifecycle of the services) MSSs can become a lifesaver. Not just the profit but the sensitive information leakages can be mitigates successfully. Today many small and midsized businesses benefit from such services. Giants like IBM, AT&T are already providing a quality services in terms of security as Manages Security Service Providers. There are many cost effective solutions and reliable service providers available to choose from. Starting an MSS firm is a perfect idea according to the market researches. It has many challenges, has to deal with many areas such as Financial Services, Health Services, Manufacturing Services, Public Sector and many others, but, nothing is way beyond the available resources, with recent innovations in ICT. It is a highly profitable area and a life time opportunity to reach the world and to become an owner of a world class firm.

Conclusion

ICT has become a main component of the business process of Small to Medium Businesses and plays a vitally important role. It is a main part of the business strategy which will tie the unequal business components (departments as an example) together to perform an efficient and effective function. ICT is one of the main forces that are strengthening each department thus reducing many costs involved in the entire process which will enable organizations to reach the expected profits without much hassle. With less human work force, integrated technologies and components functioning 24x7, the work load and the needed net effort is reduced extensively for business owners. But these technologies and automations will be effective and efficient if and only if they keep the Integrity, Confidentiality and Availability. That has become the most difficult issue to be addresses with recent cyber threats and system vulnerabilities and cost involved with securing business infrastructures. This is why MSSs become a lifesaver. With MSSs this is not a dream any more. Many Small and Medium scaled businesses face a huge pressure from large competitors. But with a proper ICT strategy absorbed into the business process and a high tech infrastructure, less operation time, searching and exploiting weaknesses of large competitors and most importantly closing the information security gaps will reduce the pressure and make the business more improved. While ICT fuels the ongoing business, MSSs will guarantee the Integrity and Availability so the organizations can integrate more and more IT components to the business and to keep conquering the world further via the cyber space. With a properly maintained relationship with a MSSP will ensure the business profits as well as uptime and proper functionality. Information leakage and financial disruption due to information security reasons can be mitigates from a collaborative effort with a MSSP. Many Small to Medium organizations nowadays integrate MSSs without a doubt and thanks to many service providers they survive in the wild cyberspace. Many highest rated and well reputed Medium to Large scale MSSPs with quality services available around the globe. The Information Security is some mouse clicks away. It s the time for a new change!

References: TechTarget: http://searchitchannel.techtarget.com/definition/service-level-agreement

ITIL SLA (v2, v3) http://www.knowledgetransfer.net/dictionary/ITIL/en/Service_Level_Agreement.htm

Company Details go here